Introduction to the 4.x sandbox


This topic was drafted to provide an introduction to the 4.x sandbox. It may help you understand the 5.x sandbox, but some information will not be correct.

[ol]- What is it for?

[i]Please help us improve this introduction by posting suggestions to the ‘Sandbox help materials - Feedback topic’ here.

This introduction has been prepared by a volunteer moderator – with input from many other moderators (Thanks everyone, especially: Ronny, Omletguy, Dennis2, Arkangyal). It has been produced on a best endeavours basis - it will be added to and corrected as we find out more about the sandbox. Please note that I am not a member of staff and therefore cannot speak on behalf of Comodo.[/i]

Updated: 12 June 2010, to reflect changes up to CIS version

The CIS sandbox helps CIS provide ‘good enough security’ with minimum inconvenience. It does this by automatically restricting what unknown software can do until it’s been checked out by Comodo. Because restrictions are automatic, there are almost no alerts [1]. Because restrictions are not severe, the software can (in the main) be used while analysis is pending.

[1] Global hook, certain COM interface, and internet access alerts may still occur for some programs in version 4.1. Comodo is working on this.

Software unknown to CIS is, by default, automatically sandboxed unless it is installation software. The user is alerted [1]. Known safe software started by unknown software is also sandboxed, but without an alert [4]. Automatic sandboxing means that it runs with restricted operating system and defence plus privileges [2], greatly restricting the damage it can do if it is malware. It does not mean that files and registry keys created by the software are stored in the sandbox. The software is then sent to Comodo for analysis [3]. If it is pronounced safe then the software is automatically removed from the sandbox. If it’s malware then the antivirus database will be updated, and you’ll be offered the normal options to deal with it next time the software is run or scanned.

You can also choose to sandbox suspect software in the sandbox manually, but this facility is still very much under development. (Despite this, rather strangely, the GUI devotes most space to these facilities - ‘Run a program in the sandbox’ and ‘Add a program to the sandbox’ deal exclusively with manual sandboxing). If you sandbox software manually, some file and registry keys are, by default, stored or copied in the sandbox. Please see the Virtualisation FAQ here for further information on this facility. A range of other options are also available.

[1] Automatic sandboxing is the default, it can be turned off by using the relevant tick box in ‘Sandbox Settings’. Installation software is identified through file characteristics and by asking for administrator privileges in Windows.
[2] Technically, automatically sandboxed software can write to the disk but it cannot cannot a) write to (ie infect) existing protected files or registry keys b) take admin privileges c) consume too many resources d) key log or screen grab, set windows hooks, access protected COM interfaces or access non-sandboxed applications in memory e) access the internet without asking
[3] In early versions the submission service may not be continuously available, submissions may not be automatic, and files may take some time to be processed. Further info here.
[4] Even if it is in My Safe Files, & presumably, even if it is an installer

Although you can choose to sandbox software yourself, the current version of the CIS sandbox is not intended to be an alternative to a traditional sandbox like Sandboxie. The CIS sandbox does not intercept all actions by sandboxed software. It does not sandbox installation software, or installed program files and so cannot wipe all traces of installed software from your system if you decide to uninstall it. However it does provide good protection in other ways (see how the sandbox works) and these facilities are being constantly improved.

You get ‘unlimited access’ alerts when CIS is faced with unknown installation software. The installation software needs greater Defense+ and operating system privileges than the CIS sandbox normally grants unknown software. If the setting ‘Automatically recognise installer…’ is checked, CIS grants installation software almost total freedom and suppresses all alerts (though it still makes log entries). You should say yes if you fully trust the vendor of the software, no or ‘sandbox’ otherwise.

If you say ‘no’ you can uncheck '‘Automatically recognise’ and re-run the installer with all Defense+ alerts enabled. If you say ‘sandbox’ the installer software will be sandboxed, and thus unable to damage your system, but the files that it installs, and registry keys it creates will be created in their normal locations (ie virtual copies will not be created in the sandbox). The installed files wil not be able to harm your system unless you run the software from the installer - so it’s best not to do this.

CIS will normally alert you, and make a D+ log entry everytime it automatically sandboxes software and when it removes software from the sandbox. Automatically sandboxed software also shows up in ‘My pending files’ alongside other software which has been submitted to Comodo for analysis. Automatically sandboxed files do not show up in ‘Programs in the sandbox’, which shows only manually sandboxed files added via ‘Programs in the sandbox’.

However CIS will not generate an alert or a log entry when files are automatically sandboxed just because they are run by other files which are sandboxed. Nor will such files appear in my pending files.

More detail in the FAQ here.

When CIS tells you it wants to sandbox software, you can decline this, but you will have to re-start the software concerned to take it out of the sandbox. Alternatively you can unsandbox software by adding it to My Safe Files, either by using ‘Move to’ in ‘My Pending Files’ (details here) or by using ‘Add’ in ‘My Safe Files’, and restarting the software. Sometimes it can be difficult to remove files from the sandbox - information on how to get over this is here. NB Defining a file as a trusted file in the Computer Security Policy does not remove it from the sandbox.

The CIS sandbox is designed to provide a good level of security in practice to a wide range of people, not the highest level of security in principle to a small number of experts.

Currently, using the sandbox is probably a good idea for less expert users operating in normal internet environments, as it reduces the tendency to automatically ‘allow’ possibly puzzling Defense+ alerts because of their frequency. More expert users operating in high risk internet zones should probably disable the sandbox and rely on their own expertise to make judgements on the basis of the Defense+ alerts that the sandbox suppresses. I am a reasonably experienced computer user but I have it enabled because it provides ‘good enough’ security, and leads to lower hassle computer use. It’s facilities will doubtless become more secure over time.

Not yet. It’s useful as it is, but we are promised that it will improve greatly both in usability and security in forthcoming releases.

As I find out more I’ll edit this topic. A detailed screen by screen guide to all the settings is available in CIS help text, under ‘Defense+ Tasks ~ Sandbox’ and ‘Introduction ~ Understanding alerts’. A faq is being developed here.

Yes it will. Except that registry virtualisation is disabled in 64bit Windows XP. The user is not currently informed about this - Comodo is considering adding an alert.

This is one of the main reasons why it is designed as it is. Most sandboxes will not work on 64 bit systems because they use undocumented OS facilities (which do not work in 64bit) to intercept program to program communications. The CIS sandbox avoids this by not creating virtual copies of installed programs, which means it does not need to intercept these communications.

BUMP to top